Rewterz Threat Alert – Zoom Phish Sent Via Constant Contact Mailer
January 28, 2021Rewterz Threat Advisory – CVE-2020-125226 – Trend Micro ServerProtect for Linux denial of service
January 28, 2021Rewterz Threat Alert – Zoom Phish Sent Via Constant Contact Mailer
January 28, 2021Rewterz Threat Advisory – CVE-2020-125226 – Trend Micro ServerProtect for Linux denial of service
January 28, 2021Severity
High
Analysis Summary
New samples of Word documents from TA551 (Shathak) have been detected pushing malware. This actor was active until December pushing IcedID malware before going on break for the holidays. Now that it’s returned, TA551 has been pushing Qakbot (Qbot) malware instead of IcedID. Qakbot has been distributed in the wild since June 2020, followed by more campaigns in August, September and October. By mid December, 2020, Qakbot was persistent with its latest malspam campaigns. Current campaign is similar as the older ones, in its operational flow.
Once the malicious file is downloaded and macros have been enabled, Qakbot is installed on the compromised system and begins its post-infection activity.
The Qakbot-infected hosts start spamming more Qakbot, with a different affiliate/campaign ID for Qakbot samples. Because of this and its previous history pushing different families of malware, TA551 (Shathak) is believed to be a distributor for other criminals in the cyber threat landscape. The other criminals push malware (like the criminals behind Qakbot), while TA551 is specifically a distribution network.
Impact
- Credential Theft
- Unauthorized Access
- Theft of banking information
- Unauthorized Code Execution
- Information theft
Indicators of Compromise
Domain Name
- 5that6[.]com
MD5
- 9a21b20bf0f722b2cd46058cbfad5571
- fef0ec6a4d70fd419911740a4774215c
- e54aa6017f53064aa6c231615e98ff95
SHA-256
- 7d1bd0f1e6c73ead87681243ebfc1576158807ae4d3448d39b1ee35db265b753
- 231b081480a80b05d69ed1d2e18ada8a1fd85ba6ce3e69cc8f630ede5ce5400e
- 17cd3c11fba639c1fe987a79a1b998afe741636ac607254cc134eea02c63f658
SHA1
- f359c45f331d5b159a1ae6ef80135f937bf32856
- 5b189240383dd7fb414dedca0c2768be573e53d4
- 1f3ad3e8ec787a4853cd18ea286d7fc671add9d2
URL
- http[:]//5that6[.]com//assets/55ddb775/ce51025b12/9b75bbce/8a06fd47/6ac84e7424b0539286562b/xtuaq14?anz=125c5909&dlzwg=7aec167a5a2ab0&bu=a09f740
- http[:]//5that6[.]com/
Remediation
- Block the threat indicators at their respective controls.
- Do not download files attached in untrusted emails.
- Do not enable macros for files downloaded from untrusted sources.